VulWall Team February 24, 2026 5 min read

Expired Security Certificate Is Blocking Visitors and Breaking Encrypted Connections

Your website's security certificate has expired. This certificate is what tells browsers your site is safe and keeps data encrypted between your site and your visitors. Right now, anyone visiting your site is likely seeing a full-screen warning saying 'Your connection is not private' — and most people will leave immediately rather than click through.

OWASP A05 Effort: small Exploitable
ssl tls certificate https availability encryption mitm

Business Impact And Actions

immediate urgency

Business Impact

An expired certificate has immediate, visible consequences: visitors are turned away by browser warnings, which directly reduces traffic and sales conversions. If your site uses a strict security policy called HSTS, some browsers will refuse to load the site at all — with no way for the visitor to bypass it. Beyond lost revenue, an expired certificate signals carelessness to customers and can raise flags during compliance audits (e.g., PCI-DSS for payment processing). Search engines may also deprioritize your site, compounding the traffic loss over time.

What To Do

  1. Ask your developer or hosting provider to renew the SSL/TLS certificate today — this is typically a 30–60 minute task and is often free using a service called Let's Encrypt.
  2. If your site is hosted on a managed platform (e.g., Shopify, Squarespace, Cloudflare, AWS), log in to your dashboard and check the SSL/certificate settings — many platforms can renew with one click.
  3. Once renewed, ask your developer to set up automatic certificate renewal so this never happens again. Tools like Certbot can handle this automatically at no cost.
  4. Check whether any other domains or subdomains you own also have certificates nearing expiry — ask your developer to audit all certificates at the same time.

Expired SSL/TLS Certificate — Immediate Renewal Required

high severity CVSS 7.0-7.5

Vulnerability Explanation

The server is presenting an SSL/TLS certificate whose validity period has elapsed. When a browser initiates a TLS handshake, it validates the certificate's notAfter date against the current time. If the certificate is expired, the CA can no longer verify its legitimacy, causing browsers to display a full-screen security interstitial (e.g., NET::ERR_CERT_DATE_INVALID in Chrome). If the domain has HSTS enabled, browsers will hard-block access entirely with no user bypass option, making the site completely unreachable. Additionally, APIs, mobile apps, and automated systems that perform strict certificate validation will silently refuse to connect, potentially breaking integrations and backend services.

Root Cause

SSL/TLS certificates have a defined validity period (currently up to 398 days for publicly trusted certificates, with the CA/Browser Forum reducing this to 47 days by 2029). Expiry occurs when no automated renewal process is in place, renewal notifications are missed, or a manual renewal process fails silently. This is an operational gap — the certificate itself was valid when issued, but lifecycle management was not maintained.

Technical Impact

Immediate user-facing impact: browsers display 'Your connection is not private' warnings, causing near-total abandonment of affected pages. If HSTS is active, the site becomes completely inaccessible. API clients and mobile apps performing certificate validation will fail silently. Data transmitted over the connection is no longer protected by a trusted encrypted channel, and the server's identity can no longer be verified by clients — creating conditions where a man-in-the-middle attacker could intercept or manipulate traffic if a client bypasses the warning.

Severity Justification

Expired certificates cause immediate service disruption and remove the trust anchor for encrypted communications. While exploitation requires a network-positioned attacker, the primary impact is availability loss and trust failure, which is immediate and measurable. CVSS factors: AV:N, AC:H, PR:N, UI:R, S:U, C:H, I:L, A:H.

Affected Components

  • SSL/TLS Certificate — all versions once past notAfter date

Remediation Steps

  1. Identify the expired certificate: run `echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates` to confirm expiry date and which certificate is affected (note: the issue may be an intermediate certificate, not just the leaf).
  2. If using Let's Encrypt / Certbot, force-renew immediately: `sudo certbot renew --force-renewal` (Nginx) or `sudo certbot renew --force-renewal --apache` (Apache), then reload the web server: `sudo systemctl reload nginx` or `sudo systemctl reload apache2`.
  3. If using a commercial CA (DigiCert, Sectigo, etc.), generate a new CSR, submit it to your CA, and install the returned certificate and full chain on your server per your CA's documentation.
  4. After installing the new certificate, verify the full chain is correctly configured — missing intermediate certificates are a common cause of chain errors: `openssl verify -CAfile /etc/ssl/certs/ca-certificates.crt /path/to/cert.pem`.
  5. Enable automatic renewal to prevent recurrence: Certbot installs a systemd timer or cron job automatically. Verify it is active with `systemctl list-timers | grep certbot` or `crontab -l | grep certbot`. If missing, add: `0 */12 * * * root certbot -q renew --nginx` to `/etc/cron.d/certbot`.
  6. Set up external certificate expiry monitoring (e.g., UptimeRobot, Datadog, or a simple cron using `openssl s_client`) to alert at 30 days and 7 days before expiry.

Verification Steps

  1. Run `echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates` and confirm `notAfter` is a future date.
  2. Visit https://www.ssllabs.com/ssltest/ and run a full SSL Labs scan — the grade should be A or A+ with no certificate errors.
  3. Check the browser padlock icon in Chrome/Firefox — clicking it should show 'Connection is secure' with a valid certificate expiry date.
  4. Test automatic renewal with a dry run: `sudo certbot renew --dry-run` — confirm it completes without errors.

Code Examples (bash)

Vulnerable
# Check current certificate status
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates

# Example output showing expired certificate:
# notBefore=Jan  1 00:00:00 2023 GMT
# notAfter=Jan  1 00:00:00 2024 GMT  ← EXPIRED
Fixed
# Force renew with Certbot (Let's Encrypt)
sudo certbot renew --force-renewal --nginx
sudo systemctl reload nginx

# Verify new certificate dates after renewal:
echo | openssl s_client -connect yourdomain.com:443 2>/dev/null | openssl x509 -noout -dates
# notBefore=Feb 24 00:00:00 2026 GMT
# notAfter=May 25 00:00:00 2026 GMT  ← Valid

# Confirm auto-renewal cron/timer is active:
systemctl list-timers | grep certbot
# OR
crontab -l | grep certbot

Best Practices

  • Use automated certificate management (Certbot with Let's Encrypt, AWS ACM, or Cloudflare) to eliminate manual renewal as a failure point.
  • Configure expiry monitoring with alerts at 30 days and 7 days before expiry — do not rely solely on CA email notifications.
  • Always install the full certificate chain (leaf + intermediates) to prevent chain validation errors across different clients.
  • With certificate validity periods shortening to 47 days by 2029 (CA/Browser Forum Ballot SC-081v3), automation is no longer optional — plan for it now.

References

Found this in your infrastructure?

VulWall scans for this and dozens of other issues automatically.

Scan Your Domain Free
Back to Knowledge Base